SecureState Blog

Read SecureState's award winning blog.

INDUSTRY: Government

SERVICES:  PCI Gap Analysis and PCI RoC Issuance

credit card security

Engagement Background

Identity theft is the fastest growing form of crime in the United States. In response, card associations, led by Visa and MasterCard, have created a data security standard called the Payment Card Industry (PCI) Data Security Standard (DSS). It was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS compliance is mandatory for ALL organizations that “process, store or transmit” cardholder data.  This includes government agencies.

Two separate state agencies recently contracted SecureState for assistance with PCI compliance. SecureState’s Audit and Compliance team performed a PCI Gap Analysis in order to evaluate their readiness for the PCI On Site Assessment, leading to RoC issuance. The evaluation: they are NOT ready. The problem: they need to issue an Attestation of Compliance to their merchant bank every year.


Highlighting the Problem of Government Bureaucracy

Based on SecureState’s experience, very few clients are fully compliant with PCI DSS requirements the first time through. Typically though, SecureState can offer organizations a clear roadmap, which if followed, will lead them to meeting compliance standards by the required date. In this case, the agencies have a significant roadblock preventing them from meeting PCI standards. A separate government administrative entity controls much of their IT resources, and many of their policies and procedures are problematically intertwined.

And that is where the real issues start. The administrative agency either fails to understand or refuses to accept that they are a PCI Level 1 service provider. They think of a “service provider” as an entity outside of the state, rather than an intertwined agency. It does not seem to matter to them that their thinking is completely wrong and will negatively impact the agencies’ ability to do business very soon.


What the Consultants Had to Say

“When you come in for the first time, you are usually undoing several years of poor IT decisions (non-compliant PCI choices). However, SecureState typically doesn’t issue many non-compliant RoCs, as it just usually doesn’t do the client any good. However, this is a unique situation. The state agencies believe that taking this document to the legislature will help convince them that if they want to continue doing credit card business, they need to gain more control over their CDE. On the other hand, high level staff within the agencies acknowledge that if their RoCs became public, they might be forced out of existence in favor of a privatized solution.  Either way, as it stands now they will be lucky to avoid some pretty significant fines.”

This situation highlights some of the problems government agencies face when required to apply strict controls. “In entities like this administrative agency, where you have a large overseeing IT body that houses systems for multiple divisions it is always best to start from the top down with your RoC. Unfortunately, the driver almost always comes from the bottom (that is, one or two of the divisions) and then the challenge is to work to make the managing entity understand the importance of making necessary changes to PCI policies and procedures. Without the total cooperation of the entity in question, it will be virtually impossible for any of this state’s individual agencies to comply with PCI DSS.”